Top five myths about Direct-to-Net

Direct-to-Net (sometimes referred to as Split Tunneling) means allowing users to access the Internet and download files and applications directly, without “backhauling”.

Backhauling, very commonly used, requires all Internet traffic to pass back through the WAN and through the central secure gateway at the data centre for security screening and policy control.

With adequate proxy protection at various branch offices, it is just as secure
as traditional centralised proxy configurations.

With increased levels of content moving over the Internet, particularly with the explosion of Web 2.0, Direct-to-Net enables businesses to offload their WAN network for a variety of applications that used to be more LANcentric, such as webmail for email, wikis for file sharing, and WebEx for training – all at a lower cost than backhauling their traffic back to the remote data centre.

This allows businesses to leverage the Internet for mission-critical applications and actually requires less of an infrastructure investment.

Deploying a Direct-to-Net configuration using a proxy architecture for WAN optimisation and security at the branch office, for example, can lead to considerable cost savings by eliminating the need to backhaul traffic over the WAN.

This removes the need for a branch firewall and saving bandwidth by allowing application traffic management level control.

Indeed, most organisations are unaware that a large part of their traffic is recreational traffic, which can be offloaded from the WAN using a Blue Coat Packetshaper solution, saving expensive bandwidth upgrades and removing WAN congestion.

Following are some commonly held myths about Direct-to-Net.

1. Direct-to-Net implies security risks.

False:

Theoretically, Direct-to-Net requires a company to have local gateway security at all remote branch locations, as Internet data would not be passing back through the data centre and a central gateway.

However, distributed proxy solutions do exist that can inexpensively provide enterprise-class protection and auditable compliance even at distant endpoints – especially when compared to operational savings from reduced bandwidth charges.

The same corporate policy controls set by IT management for the central gateway can be directly applied to all offices through the distributed proxy model and data on such issues as Internet usage, sites viewed, bandwidth used and saved can be similarly compiled into easy-to-understand reports.

2. A Direct-to-Net doesn’t improve application performance.

False:

Most enterprises today are using Internet applications for many business-critical processes (i.e. Salesforce.com) necessitating the need for quick and secure access.

By deploying a Direct-to-Net web access architecture, a company can alleviate the need for backhauling Internet applications across the WAN and through the central gateway, wasting backhaul bandwidth and adding unnecessary delay as Internet requests hop around the WAN.

Not only is WAN bandwidth freed for use by internal applications, but appropriate Internet-bound traffic is accelerated directly at the branch through the use of HTTP/HTTPS protocol optimisation and local caching.

3. Combining Direct-to-Net Internet access for users with point-to-point VPNs creates a backdoor into my secure network.

False:

Although in theory direct user access and site-to-site “split tunnel” VPNs can put the corporate network at risk, with adequate proxy protection, these risks are no greater than Internet-based threats coming in through a central gateway.

By deploying a secure proxy appliance at each of the critical points – each branch office and the data centre – an enterprise customer can be assured that all Internet traffic still passes through a gateway proxy and is kept separate from the VPN and off central networks.

4. Direct-to-Net cost savings aren’t worth the trouble.

False:

Though not as convenient as provider-managed MPLS links, in most places around the globe general Internet access is available at a fraction – often 25 percent or less – of the cost of MPLS or point-to-point links on a per-bandwidth basis.

Combined over many branches, that offers significant savings, while offering similar latency and loss characteristics as the second and third tier of MPLS service groups.

5. With Direct-to-Net, I do not have protection against spyware or malware in embedded URLs.

False:

As the majority of threats evolve to user-initiated or targeted attacks through a web browser, whatever security precautions you deem appropriate for your core gateway should be applied at a Direct-to-Net branch office as well.

Fortunately, distributed proxy solutions exist that can provide enterprise-gateway class protection in branch-sized appliances that still provide the same level of protection, all using the same policy and reporting infrastructure.

Additionally, endpoint protection against these threats should also be a part of a multi-layered risk mitigation strategy, regardless of where the users are connecting.